Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches
25.11.23 Vulnerebility The Hacker News
The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files.
A brief description of the vulnerabilities is as follows -
Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0)
WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8)
Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1 (CVSS score: 9.0)
"The 'graphapi' app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," the company said of the first flaw.
"This information includes all the environment variables of the web server. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key."
As a fix, ownCloud is recommending to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file and disable the 'phpinfo' function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys.
The second problem makes it possible to access, modify or delete any file sans authentication if the username of the victim is known and the victim has no signing-key configured, which is the default behavior.
Lastly, the third flaw relates to a case of improper access control that allows an attacker to "pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker."
Besides adding hardening measures to the validation code in the oauth2 app, ownCloud has suggested that users disable the "Allow Subdomains" option as a workaround.
The disclosure comes as a proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.
The issue has been addressed in CrushFTP version 10.5.2, which was released on August 10, 2023.
"This vulnerability is critical because it does NOT require any authentication," CrushFTP noted in an advisory released at the time. "It can be done anonymously and steal the session of other users and escalate to an administrator user."